Add fix for ecdsa 192 and rsa tests

Test User · Test User · commit c00cbd678b4a · 2025-10-17T13:58:16.000-07:00
diff --git a/debian/rules b/debian/rules
@@ -82,4 +82,6 @@ override_dh_auto_clean:
 	rm -rf test/standalone/tests/.libs
 
 override_dh_auto_test:
+	# Set LD_LIBRARY_PATH to find installed wolfSSL/OpenSSL libraries
+	export LD_LIBRARY_PATH=/usr/lib/$(DEB_HOST_MULTIARCH):$$LD_LIBRARY_PATH && \
 	$(MAKE) test
diff --git a/test/test_ecc.c b/test/test_ecc.c
@@ -958,6 +958,36 @@ int test_ecdsa_p192_pkey(void *data)
         pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_192));
         err = pkey == NULL;
     }
+#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+    /* In FIPS mode, P-192 operations are not allowed, so we expect all operations to fail */
+    if (err == 0) {
+        PRINT_MSG("Sign with OpenSSL");
+        ecdsaSigLen = sizeof(ecdsaSig);
+        err = test_pkey_sign_ecc(pkey, osslLibCtx, buf, sizeof(buf), ecdsaSig,
+                                 &ecdsaSigLen);
+        /* OpenSSL should also reject P-192 in FIPS mode */
+        err = err != 1;
+        if (err == 0) {
+            PRINT_MSG("OpenSSL sign failed, expected (P-192 not allowed w/ FIPS)");
+        }
+        else {
+            PRINT_MSG("OpenSSL sign succeeded, unexpected (P-192 not allowed w/ FIPS)");
+        }
+    }
+    if (err == 0) {
+        PRINT_MSG("Sign with wolfprovider");
+        ecdsaSigLen = sizeof(ecdsaSig);
+        err = test_pkey_sign_ecc(pkey, wpLibCtx, buf, sizeof(buf), ecdsaSig,
+                                 &ecdsaSigLen);
+        err = err != 1;
+        if (err == 0) {
+            PRINT_MSG("ECDSA failed, expected (P-192 not allowed w/ FIPS)");
+        }
+        else {
+            PRINT_MSG("ECDSA succeeded, unexpected (P-192 not allowed w/ FIPS)");
+        }
+    }
+#else
     if (err == 0) {
         PRINT_MSG("Sign with OpenSSL");
         ecdsaSigLen = sizeof(ecdsaSig);
@@ -982,17 +1012,6 @@ int test_ecdsa_p192_pkey(void *data)
         ecdsaSigLen = sizeof(ecdsaSig);
         err = test_pkey_sign_ecc(pkey, wpLibCtx, buf, sizeof(buf), ecdsaSig,
                                  &ecdsaSigLen);
-#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-        err = err != 1;
-        if (err == 0) {
-            PRINT_MSG("ECDSA failed, expected (P-192 not allowed w/ FIPS)");
-        }
-        else {
-            PRINT_MSG("ECDSA succeeded, unexpected (P-192 not allowed w/ "
-                "FIPS)");
-        }
-    }
-#else
     }
     if (err == 0) {
         PRINT_MSG("Verify with OpenSSL");
@@ -1250,6 +1269,37 @@ int test_ecdsa_p192(void *data)
         pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_192));
         err = pkey == NULL;
     }
+#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+    /* In FIPS mode, P-192 operations are not allowed, so we expect all operations to fail */
+    if (err == 0) {
+        PRINT_MSG("Sign with OpenSSL");
+        ecdsaSigLen = sizeof(ecdsaSig);
+        err = test_digest_sign(pkey, osslLibCtx, buf, sizeof(buf), md,
+                              ecdsaSig, &ecdsaSigLen, 0);
+        /* OpenSSL should also reject P-192 in FIPS mode */
+        err = err != 1;
+        if (err == 0) {
+            PRINT_MSG("OpenSSL sign failed, expected (P-192 not allowed w/ FIPS)");
+        }
+        else {
+            PRINT_MSG("OpenSSL sign succeeded, unexpected (P-192 not allowed w/ FIPS)");
+        }
+    }
+    if (err == 0) {
+        PRINT_MSG("Sign with wolfprovider");
+        ecdsaSigLen = sizeof(ecdsaSig);
+        err = test_digest_sign(pkey, wpLibCtx, buf, sizeof(buf), md,
+                              ecdsaSig, &ecdsaSigLen, 0);
+        err = err != 1;
+        if (err == 0) {
+            PRINT_MSG("ECDSA failed, expected (P-192 not allowed w/ FIPS)");
+        }
+        else {
+            PRINT_MSG("ECDSA succeeded, unexpected (P-192 not allowed w/ "
+                "FIPS)");
+        }
+    }
+#else
     if (err == 0) {
         PRINT_MSG("Sign with OpenSSL");
         ecdsaSigLen = sizeof(ecdsaSig);
@@ -1275,17 +1325,6 @@ int test_ecdsa_p192(void *data)
         ecdsaSigLen = sizeof(ecdsaSig);
         err = test_digest_sign(pkey, wpLibCtx, buf, sizeof(buf), md,
                               ecdsaSig, &ecdsaSigLen, 0);
-#if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-        err = err != 1;
-        if (err == 0) {
-            PRINT_MSG("ECDSA failed, expected (P-192 not allowed w/ FIPS)");
-        }
-        else {
-            PRINT_MSG("ECDSA succeeded, unexpected (P-192 not allowed w/ "
-                "FIPS)");
-        }
-    }
-#else
     }
     if (err == 0) {
         PRINT_MSG("Verify with OpenSSL");
diff --git a/test/test_rsa.c b/test/test_rsa.c
@@ -560,9 +560,8 @@ int test_rsa_sign_sha1(void *data)
 
     (void)data;
 #if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
-    /* Signing with wolfProvider should fail, but verifying with wolfProvider should
-     * succeed. In FIPS mode, we can only verify RSA signatures using SHA-1, not
-     * generate them. */
+    /* Signing with SHA-1 is not allowed in FIPS mode.
+     * We expect both OpenSSL and wolfProvider to reject SHA-1 signing. */
     EVP_PKEY *pkey = NULL;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
     const RSA *rsaKey = NULL;
@@ -594,17 +593,26 @@ int test_rsa_sign_sha1(void *data)
         PRINT_MSG("Sign with OpenSSL");
         err = test_digest_sign(pkey, osslLibCtx, buf, sizeof(buf), "SHA-1",
                                rsaSig, &rsaSigLen, 0);
-    }
-    if (err == 0) {
-        PRINT_MSG("Verify with wolfprovider");
-        err = test_digest_verify(pkey, wpLibCtx, buf, sizeof(buf), "SHA-1",
-                                 rsaSig, rsaSigLen, 0);
+        /* OpenSSL should reject SHA-1 signing in FIPS mode */
+        err = err != 1;
+        if (err == 0) {
+            PRINT_MSG("OpenSSL sign failed, expected (SHA-1 signing not allowed w/ FIPS)");
+        }
+        else {
+            PRINT_MSG("OpenSSL sign succeeded, unexpected (SHA-1 signing not allowed w/ FIPS)");
+        }
     }
     if (err == 0) {
         PRINT_MSG("Sign with wolfprovider");
         rsaSigLen = RSA_size(rsaKey);
         err = test_digest_sign(pkey, wpLibCtx, buf, sizeof(buf), "SHA-1",
                               rsaSig, &rsaSigLen, 0) != 1;
+        if (err == 0) {
+            PRINT_MSG("wolfProvider sign failed, expected (SHA-1 signing not allowed w/ FIPS)");
+        }
+        else {
+            PRINT_MSG("wolfProvider sign succeeded, unexpected (SHA-1 signing not allowed w/ FIPS)");
+        }
     }
     EVP_PKEY_free(pkey);
 
@@ -1045,13 +1053,8 @@ int test_rsa_pkey_invalid_key_size(void *data) {
         err = RAND_bytes(buf, sizeof(buf)) == 0;
     }
 
-    if ((err == 0) && (!noKeyLimits)) {
-        PRINT_MSG("Check that signing with an invalid key size fails.");
-        err = test_pkey_sign(pkey, wpLibCtx, buf, sizeof(buf), rsaSig,
-            &rsaSigLen, 0, NULL, NULL) == 0;
-    }
-
 #if defined(HAVE_FIPS) || defined(HAVE_FIPS_VERSION)
+    /* In FIPS mode, 1024-bit keys are allowed, so skip the invalid key size check */
     if (err == 0) {
         PRINT_MSG("Check that signing with OpenSSL and verifying with "
             "wolfProvider using a 1024-bit key works.");
@@ -1062,6 +1065,12 @@ int test_rsa_pkey_invalid_key_size(void *data) {
         err = test_pkey_verify(pkey, wpLibCtx, buf, sizeof(buf), rsaSig,
             rsaSigLen, 0, NULL, NULL);
     }
+#else
+    if ((err == 0) && (!noKeyLimits)) {
+        PRINT_MSG("Check that signing with an invalid key size fails.");
+        err = test_pkey_sign(pkey, wpLibCtx, buf, sizeof(buf), rsaSig,
+            &rsaSigLen, 0, NULL, NULL) == 0;
+    }
 #endif /* HAVE_FIPS || HAVE_FIPS_VERSION */
 
     EVP_PKEY_free(pkey);
